Webmail | Campus Compass | Events

Monday, November 23, 2009 4:56 AM

Inside TuftsInstitutional Review Board
GO >
this site tufts.edu people
   

Frequently Asked Questions (FAQ's)

Main » HIPAA
HIPAA
QUESTIONS
  1. What are the basics of HIPAA compliance for a researcher?
  2. What is "Minimum Necessary" under the HIPAA Privacy Rule?
  3. Who are the HIPAA Privacy Officers for Research?
  4. What responsibilities do clinical researchers have under the HIPAA Privacy Rule?
  5. What do I have to do if I get a waiver?
  6. Coded information is used for my study; does the HIPAA Privacy Rule apply?
  7. Is a RAF approved like a consent form?
  8. When should subjects sign the RAF?
  9. What is the Data Use Agreement required under the HIPAA Privacy Rule if a Limited Data Set is given to another party?
  10. Are HIPAA Research Authorizations or an IRB/Privacy Board Waiver required for databases I maintain containing PHI that are for future research?
  11. Are HIPAA Research Authorizations or an IRB/Privacy Board Waiver required for databases containing PHI on my patients that I keep on my computer?
  12. What is my responsibility for obtaining authorization under HIPAA to use Decedent PHI for my research?
  13. Does the HIPAA Privacy Rule apply to my studies if funding for the research does not come from either the FDA or the NIH?
  14. What is my responsibility under HIPAA for disclosing to study participants funding or other financial support when it is received from the sponsor?
  15. What are the penalties associated with failing to comply with HIPAA Privacy Rule regulations?
  16. Are we allowed to combine the HIPAA Research Authorization and Informed Consent that have to be reviewed and signed to enroll participants in a study?
  17. What are my alternatives when HIPAA Research Authorization is impractical for the study I want to conduct?
  18. Does the Informed Consent already required for clinical studies serve as a HIPAA Research Authorization?
  19. What information is required in a HIPAA Research Authorization?
  20. Informed Consent was obtained from participants in my study prior to April 14, 2003. Are these participants required to sign a HIPAA Research Authorization?
  21. IRB Consent Waivers have been obtained for some of my research studies, what is the status of these studies under the HIPAA Privacy Rule?
  22. Is a Limited Data Set considered PHI under the HIPAA Privacy Rule?
  23. Is the health information of normal healthy volunteers in my clinical research study considered PHI?
  24. How does the hospital Notice of Privacy Practice under the HIPAA Privacy Rule impact clinical research?
  25. Does the HIPAA Privacy Rule allow access to PHI to assist in recruitment of study participants?
  26. What is my responsibility when PHI is important to determining the feasibility of my study proposal, but it is impracticable to contact every patient?
  27. Does the use of PHI for Quality Assurance projects require a HIPAA Research Authorization or Waiver?
  28. My research files contain PHI that has been authorized for use under a HIPAA Research Authorization. Does the HIPPA Privacy Rule have any other requirements for this data?
  29. Researchers working at the hospital are not the Covered Entity; the hospital is, so how does the HIPAA Privacy Rule apply to them?
  30. Retrospective chart reviews are important to Research; do they require a signed HIPAA Research Authorization?
  31. How will Revocation of Authorization by study participants permitted under the HIPAA Privacy Rule impact my studies?
ANSWERS
  1. What are the basics of HIPAA compliance for a researcher?
    There are five means to comply with HIPAA:
    1. Obtain a research authorization
    2. Obtain a waiver of authorization
    3. Use a limited data set and put in place a data use agreement
    4. Use PHI from deceased subjects
    5. Use a completely de-identified dataset

    You also have limited ability to access PHI in "a review preparatory to research".


    [Back to top]
  2. What is "Minimum Necessary" under the HIPAA Privacy Rule?
    The HIPAA Privacy Rule requires that the amount of PHI used or disclosed be limited to the "minimum necessary" for the purpose.
    [Back to top]
  3. Who are the HIPAA Privacy Officers for Research?

    Jeffrey Weinstein is the HIPAA Privacy Officer for Research at Tufts Medical Center.

    Janet Markell is the HIPAA Privacy Officer for Research at Tufts University School of Dental Medicine.


    [Back to top]
  4. What responsibilities do clinical researchers have under the HIPAA Privacy Rule?

    The HIPAA Privacy Rule requires:

    1. Providing mandated information to research subjects about their privacy rights and how PHI can be used.
    2. Informing subjects about the right to access and amend their PHI.
    3. Adopting clear and systematic privacy and database security procedures.
    4. Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
    5. Securing records containing individually identifiable health information so that they are not readily available to those who do not need to see them.

    [Back to top]
  5. What do I have to do if I get a waiver?
    If you are granted a research authorization waiver, you must fulfill the accounting requirements. If you access 50 or fewer records, you must record the names of the persons. If you access 51 or more records, you may create a profile of the study population (e.g., men over age 70 with glaucoma and a history of hypertension). In either case, it is the responsibility of the investigator to report the names or profile to his/her institution's HIPAA Privacy Officer for Research.

    [Back to top]
  6. Coded information is used for my study; does the HIPAA Privacy Rule apply?
    The HIPAA Privacy Rule does not apply if all 18 HIPAA identifiers are removed. The HIPAA Privacy Rule does apply to the code that allows re-identification of the PHI. But, the Common Rule considers coded information to be indirectly identifiable.
    [Back to top]
  7. Is a RAF approved like a consent form?
    No. A RAF is not approved by the IRB/Privacy Board.

    [Back to top]
  8. When should subjects sign the RAF?
    Subjects are to sign the RAF at the same time they sign the consent form.

    [Back to top]
  9. What is the Data Use Agreement required under the HIPAA Privacy Rule if a Limited Data Set is given to another party?

    Data Use Agreement is required to include the following elements:

    1. Limits use of the data
    2. Requires data safeguards
    3. Requires reporting of unauthorized uses or disclosures
    4. Prohibits contacting patients or "identifying the information"

    [Back to top]
  10. Are HIPAA Research Authorizations or an IRB/Privacy Board Waiver required for databases I maintain containing PHI that are for future research?
    Databases where PHI is placed, processed and stored that are resources for future research are Research for HIPAA purposes and require HIPAA Research Authorization or Waiver. Since the definition of Research is the same under HIPAA and the Common Rule these databases also require IRB approval.
    [Back to top]
  11. Are HIPAA Research Authorizations or an IRB/Privacy Board Waiver required for databases containing PHI on my patients that I keep on my computer?
    Investigators should review existing internal databases to determine whether the data serves operations or it is for research purposes. Databases for research require HIPAA Research Authorization or an IRB/Privacy Board Waiver.
    [Back to top]
  12. What is my responsibility for obtaining authorization under HIPAA to use Decedent PHI for my research?

    Decedent PHI may be accessed for research without a HIPAA Research Authorization as long as:

    1. The PHI accessed is solely for research on the decedent.
    2. Documentation of death is available upon request.
    3. The PHI accessed is necessary for research.
    4. An attempt will not be made to obtain PHI, or other information, about a living relative of the decedent.

    [Back to top]
  13. Does the HIPAA Privacy Rule apply to my studies if funding for the research does not come from either the FDA or the NIH?
    The HIPAA Privacy Rule applies regardless of funding source even if FDA and HHS regulations are not applicable.
    [Back to top]
  14. What is my responsibility under HIPAA for disclosing to study participants funding or other financial support when it is received from the sponsor?
    The Final Privacy Rule eliminates the requirement to disclose in the HIPAA Research Authorization form if direct or indirect remuneration is received in exchange for use or disclosure of the health information.
    [Back to top]
  15. What are the penalties associated with failing to comply with HIPAA Privacy Rule regulations?
    There are both civil and criminal penalties for improper use or disclosure of PHI with fines as high as $25,000 for multiple violations in the same year or $250,000 and/or up to 10 years imprisonment for knowingly misusing PHI. These penalties are personal as well as institutional.
    [Back to top]
  16. Are we allowed to combine the HIPAA Research Authorization and Informed Consent that have to be reviewed and signed to enroll participants in a study?
    The Final Privacy Rule permits combining the HIPAA Research Authorization and the Informed Consent as long as the required elements of both documents are present. At Tufts Medical Center, the informed consent and HIPAA Research authorization form are 2 separate documents.

    [Back to top]
  17. What are my alternatives when HIPAA Research Authorization is impractical for the study I want to conduct?
    You may apply to the IRB/Privacy Board for a Waiver of HIPAA Research Authorization.
    [Back to top]
  18. Does the Informed Consent already required for clinical studies serve as a HIPAA Research Authorization?
    No. The HIPAA Research Authorization is not the same as the informed consent since the purposes and requirements are different. HIPAA Research Authorization addresses privacy issues; the Informed Consent discusses the risks, benefits, subjects rights about the Research.

    [Back to top]
  19. What information is required in a HIPAA Research Authorization?

    A valid Authorization must include all of the following:

    1. Description of the information to be used or disclosed
    2. Identification of the persons authorized to make or use or disclose the protected health information
    3. A description of each purpose of the use or disclosure
    4. An expiration date or event ("no expiration date" may be used)
    5. The subject's signature and the date
    6. A legally authorized representative must describe their authority to act for the individual
    7. A statement that the subject may revoke the authorization in writing
    8. A statement that the health information may no longer be protected by the Privacy Rule once it is disclosed. The institutions have created a template.

    [Back to top]
  20. Informed Consent was obtained from participants in my study prior to April 14, 2003. Are these participants required to sign a HIPAA Research Authorization?
    Consent, authorization or other legal permission obtained prior to the mandatory compliance date (April 14, 2003) allows the PHI to be used after April 14, 2003 for the research. If, after April 14, 2003, a revised informed consent is required for prior enrollees, then a HIPAA RAF should be obtained from the prior enrollees.
    [Back to top]
  21. IRB Consent Waivers have been obtained for some of my research studies, what is the status of these studies under the HIPAA Privacy Rule?
    Waivers of Informed Consent prior to April 14, 2003 by the IRB are "grandfathered" as a Waiver of HIPAA Research Authorization. After April 14, 2003 separate waivers must be obtained for Informed Consent under the Common Rule and Research Authorization under HIPAA.
    [Back to top]
  22. Is a Limited Data Set considered PHI under the HIPAA Privacy Rule?
    Limited Data Sets are PHI under the HIPAA Privacy Rule. Limited Data Sets are restricted to Research, Operations, and Public Health purposes.
    [Back to top]
  23. Is the health information of normal healthy volunteers in my clinical research study considered PHI?
    The HIPAA Privacy Rule does not protect the health information of healthy normal volunteers, but hospital registration for these participants creates a clinical record that is PHI.
    [Back to top]
  24. How does the hospital Notice of Privacy Practice under the HIPAA Privacy Rule impact clinical research?
    A research unit that is part of a Covered Entity may need to provide the Notice of Privacy Practices to a subject if participation in a clinical trial is the initial contact with the Covered Entity.
    [Back to top]
  25. Does the HIPAA Privacy Rule allow access to PHI to assist in recruitment of study participants?
    PHI may be used for recruitment of study participants with an IRB/Privacy Board Waiver and qualifies for expedited review.
    [Back to top]
  26. What is my responsibility when PHI is important to determining the feasibility of my study proposal, but it is impracticable to contact every patient?

    The HIPAA Privacy Rule permits accessing PHI without a HIPAA Research Authorization for purposes preparatory to research (assessing feasibility or formulating hypothesis) as long as:

    1. The review is necessary for preparation.
    2. No PHI is removed.
    3. The PHI accessed is necessary for research. This is a review preparatory to research.

    [Back to top]
  27. Does the use of PHI for Quality Assurance projects require a HIPAA Research Authorization or Waiver?
    Quality Assurance (QA) activities that are part of health care operations are permitted under the HIPAA Privacy Rule as "health care operations" so no separate authorization or waiver is required. QA activities that are research require HIPAA Research Authorization or Waiver.
    [Back to top]
  28. My research files contain PHI that has been authorized for use under a HIPAA Research Authorization. Does the HIPPA Privacy Rule have any other requirements for this data?

    There are HIPAA Security Standards that require reasonable operational, technical and physical safeguards for PHI that:

    1. Ensure confidentiality and integrity of information
    2. Prevent unauthorized use or disclosure
    3. Protect against external threats and physical hazards

    Contact your Information Technology office for more information about HIPAA security standards.

    [Back to top]
  29. Researchers working at the hospital are not the Covered Entity; the hospital is, so how does the HIPAA Privacy Rule apply to them?
    The HIPAA Privacy Rule covers researchers within a Covered Entity because they generate PHI (e.g. in clinical trials) and receive, access or use PHI.
    [Back to top]
  30. Retrospective chart reviews are important to Research; do they require a signed HIPAA Research Authorization?
    No. A retrospective chart review is eligible for a HIPAA Waiver under the IRB/Privacy Board and qualifies for expedited review.
    [Back to top]
  31. How will Revocation of Authorization by study participants permitted under the HIPAA Privacy Rule impact my studies?
    Research study participants cannot revoke authorization to the extent that the study is reliant on previously authorized information. You may continue to use data already collected to protect the integrity or accuracy of a study. A research participant's revocation must be in writing.
    [Back to top]
Jump to:
More Information:
Tufts Medical Center
Printer-friendly version

 

 
 

Tufts Home | Inside Tufts | Site Map | Contact Us | Tufts Medical Center
© 2009 Trustees of Tufts College. All rights reserved.

Tufts University